[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: sufficient account management checking for locally defined users



>>>>> "Luke" == Luke Howard <lukeh@PADL.COM> writes:

    >> account    required     pam_unix.so
    >> account    [default=die success=ok authinfo_unavail=ignore user_unknown=ignore] pam_ldap.so

    >> This means that pam_ldap can happily return PAM_USER_UNKNOWN,
    >> and PAM can then ignore this return value.  This works, but
    >> doesn't satisfy the policy I've outlined above.

    Luke> You can also use the ignore_unknown_user option to pam_ldap,
    Luke> for versions of PAM that do not support this extended
    Luke> configuration syntax.

I know about this option, but it still doesn't help me satisfy the
policy I'm after: do not run any code (especially network-related)
code that doesn't need to be run.  I do not want to run any pam_ldap
code (or nss_ldap code, for that matter) for locally defined users.
Running such code is unnecessary.  I should be able to implement this
policy...

By the way, I definitely appreciate the efforts of the people who work
on PAM, pam_ldap or OpenLDAP.  I'm not trying to denigrate anyone or
the software they produce.  I'm just trying to solve what I see as a
bigger problem...

Thanks...

peace & happiness,
martin





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []